The fruits of an apparent mid-2019 breach of Chinese media platform Weibo are now being sold on the dark web, and the asking price isn’t exactly eye-watering. The account information of 538 million Weibo users can be had for a mere $250, or less than half of one of the weekly “enhanced unemployment” checks most laid-off US workers are getting during the coronavirus crisis.
It’s true that this is not a particularly valuable breach in terms of hacking potential, as it reportedly contains no passwords or payment information. However, it would appear to make private data about nearly all of Weibo’s users available: the stolen information includes full names attached to the screen names of the Weibo users along with gender and location, fans and followers, and some user’s phone numbers. While this limited set of information likely would not have ever gone for more than a few cents per record on the dark web, the sheer size of this breach would have likely brought the hackers a lucrative return in years past. Apparently, it’s now worth maybe half a month’s rent in a questionable hostel.
How damaging is this for Weibo users?
The personal information exposed by this breach is limited in scope; the most troubling bit is the exposed phone numbers, which were available from about 172 million of the 538 million total accounts. Even basic account information could expose users to scam attempts, however, and pieces of it will likely be added to massive dark web “combo files” of personal information used for impersonation attempts and fraud among other things.
Perhaps the biggest risk is to anonymous Weibo users. Though Weibo is heavily monitored and censored these days, it is still sometimes used to share unfiltered news from around the country. It is also used by dissidents and for interpersonal communication that would be frowned upon by the ruling Communist Party; a separate site called FreeWeibo archives content that has been removed by censors. While the Chinese government likely has had free access to the private information in social media profiles for some years now, the general public has not.
The raw amount of profiles exposed also likely contain the sensitive geographical location details and phone numbers of celebrities and high-profile individuals.
The hacker selling the information claimed in a dark web post that it came from a mid-2019 breach, so it is unclear if newer Weibo users or those who had removed their accounts in the past were included in the breach.
And while Weibo has acknowledged the breach, unclear responses have led some security experts to question if more information was exposed than the company is admitting to.
Hacking for profit in China
While China has developed a reputation for cyber actions by state-backed APT groups against other countries, petty criminal hacking of internal businesses is not tolerated by the government. The autocratic nature of the government and its broad surveillance network lends it law enforcement capabilities that most other nations do not have.
Of course, that assumes that the perpetrators are in China. The only indication of this is that dark web ads advertising the Weibo users’ data have been posted in Chinese. However, this would not be the first time that local hackers have tried their luck in spite of the odds. In 2018, a Chinese hacker breached the Huazhu Hotels Group and offered millions of customer records for sale on the dark web. The police arrested the perpetrator in three weeks.
Though there has long been a strong culture of hacking in China, it is not as freewheeling as it is in other countries known for their state-sponsored APT groups. Unlike in Russia, where there is a tacit understanding that citizens have a great deal of latitude to hack targets in other countries so long as they do not cause problems for Russian interests, the Chinese government is about as controlling of private hacking adventures as it is about anything else that happens within its borders.
The dark web market for personally identifiable information
It could be that the relatively low price being asked for the trove of Weibo users’ personal data is an attempt to simply sell at high volume during a small window before Chinese authorities pick up the trail. However, there has been a general downward trend in personal information pricing on the dark web in recent years as massive data breaches have become so common.
At this time, it does not appear that the breach exposed any passwords or personal financial information. However, it is also impossible to assume that information coming out of China that has any government influence attached to it is 100% accurate given the present circumstances. Both individuals and organizations should be alert to a knock-on effect of phishing attempts and SMS scams directed against any current or former Weibo users.